The GDPR introduces mandatory breach notification - breaches must be reported to the Office of the Data Protection Commissioner (ODPC) within 72 hours, unless the personal data affected was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.

• Data Breach Procedure
• Data Breach Report Form
• How to reduce the risk of a Data Breach

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

All breaches or suspected breaches should therefore be reported to the University’s Data Protection Officer without delay for assessment.

What is a "data breach"?

The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

For example, an unauthorised/accidental:

• disclosure of, or access to, personal data.
• alteration of personal data.
• loss of access to, or destruction of, personal data.

Data breaches may occur in a variety of contexts, such as:

• Loss/theft of personal data (e.g. on a memory stick, laptop or paper records)
• Inappropriate access controls (e.g. using unsecure passwords)
• Equipment failure
• personal data being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
• Disclosing personal data to unauthorised individuals (internal or external to the University)
• Human error (e.g. emails/post being sent to the wrong recipient)
• Hacking, viruses or other security attacks on IT equipment systems or networks
• Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)

If a data breach/suspected data breach is identified, please take the following steps WITHOUT DELAY:

• Inform the Data Protection Officer (dataprotection@ul.ie) and your Line Manager/Head of Functional Area.
• Please complete the Data Breach Report Form and email it to dataprotection@ul.ie as soon as possible.

last updated 13 March 2019